While we are on the topic of PDB signatures…
As discussed in detail in this article (and numerous other sources), the age that you find in an executable’s codeview debug data should match the age you find in the second stream in the corresponding PDB file:
http://www.godevtool.com/Other/pdb.htm
However, I am finding pdbs whose internal age does notmatch the corresponding executable. This is what I did…
dumpbin /headers c:\windows\system32\ntoskrnl.exe
Time Type Size RVA Pointer
4E02AAA3 cv 25 001A300C 1A260C Format: RSDS,
{47F5C3BF-9E0A-493C-9F63-BB8F6413358B}, 2, ntkrnlmp.pdb
4E02AAA3 ( A) 4 001A3008 1A2608 BB03197E
Here we see the age is 2 and the GUID is {47F5C3BF-9E0A-493C-9F63-BB8F6413358B}
So then I asked the MS Symbol server for the symbol for ntoskrnl.exe
using symchk:
symchk c:\downloads\ntos\ntoskrnl.exe /v /s
SRV*c:\downloads\ntos*http://msdl.microsoft.com/download/symbols
…
DBGHELP: ntoskrnl - public symbols
c:\downloads\ntos\ntkrnlmp.pdb\47F5C3BF9E0A493C9F63BB8F6413358B2\ntkrnlmp.pdb
[SYMCHK] MODULE64 Info ----------------------
[SYMCHK] Struct size: 1680 bytes
[SYMCHK] Base: 0x0000000140000000
[SYMCHK] Image size: 6197248 bytes
[SYMCHK] Date: 0x4e02aaa3
[SYMCHK] Checksum: 0x0055c228
[SYMCHK] NumSyms: 0
[SYMCHK] SymType: SymPDB
[SYMCHK] ModName: ntoskrnl
[SYMCHK] ImageName: c:\downloads\ntos\ntoskrnl.exe
[SYMCHK] LoadedImage: c:\downloads\ntos\ntoskrnl.exe
[SYMCHK] PDB: “c:\downloads\ntos\ntkrnlmp.pdb\47F5C3BF9E0A493C9F63BB8F6413358B2\ntkrnlmp.pdb”
[SYMCHK] CV: RSDS
[SYMCHK] CV DWORD: 0x53445352
[SYMCHK] CV Data: ntkrnlmp.pdb
[SYMCHK] PDB Sig: 0
[SYMCHK] PDB7 Sig: {47F5C3BF-9E0A-493C-9F63-BB8F6413358B}
[SYMCHK] Age: 2
[SYMCHK] PDB Matched: TRUE
[SYMCHK] DBG Matched: TRUE
[SYMCHK] Line nubmers: FALSE
[SYMCHK] Global syms: FALSE
[SYMCHK] Type Info: TRUE
[SYMCHK] ------------------------------------
SymbolCheckVersion 0x00000002
Result 0x00130001
DbgFilename
DbgTimeDateStamp 0x4e02aaa3
DbgSizeOfImage 0x005e9000
DbgChecksum 0x0055c228
PdbFilename
c:\downloads\ntos\ntkrnlmp.pdb\47F5C3BF9E0A493C9F63BB8F6413358B2\ntkrnlmp.pdb
PdbSignature {47F5C3BF-9E0A-493C-9F63-BB8F6413358B}
PdbDbiAge 0x00000002
[SYMCHK] [0x00000000 - 0x00130001] Checked “c:\downloads\ntos\ntoskrnl.exe”
SYMCHK: FAILED files = 0
SYMCHK: PASSED + IGNORED files = 1
So symchk got the PDB with the same GUID and age as what was stored in
the binary.
However, when I dump the streams from that pdb (using any number of
free tools that do so) and view the second stream in a hex editor, the
age is not 2, it is 5:
94 2E 31 01 A7 AA 02 4E [05 00 00 00] [BF C3 F5 47
0A 9E 3C 49 9F 63 BB 8F 64 13 35 8B] 0A 00 00 00
2F 4C 69 6E 6B 49 6E 66 6F 00 01 00 00 00 02 00
00 00 01 00 00 00 02 00 00 00 00 00 00 00 00 00
The GUID in brackets matches the one that was downloaded, but the age
is 5 – not 2. Can anyone explain this variance?